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This Indinn Stimdud wus ildopttd by the l%urenu01'lndiun StimtliUds, ufter the drnft finnlized by Inforndon System Security Sectional Committee, hild beet1ilpprl)V~d by I3xxronics illld Telccommunicntioo IIivision Council. The proliferation of personJ computers. loUI iUe;l networks und distributed processing have drilstidly changed the way information resources iUe protected. There h;lS been it trend ot' concenkIti(ln of more und more infonniltii~n in computers to fillcilitiltt:the-use Of tiII1elyilnli ilCCUrilt~ information. Since the inflWmiltil~n t~Ch11010gy hilS ChilngtXl SOrilpidly, interN controls ilIld tht! WUtrOl points needed for protection thilt were present in the past, do not provide iI good solution for the present tkIy computerised informiltion system. AISO, while in the IXlStusers have fully depended o11 computer techndogists for the protection of information, they Ue HOW recopnising t.hiltcomputers id computer r&d prohlcms must be understood id tninaged like imy other resources. Keliilnce UpOninildt3~UiltdyC0nt.Idled inlbrmittion systelll CilII hilVeserious consequences, including: i) ii) iii) iv) LOSSof integrity of informiltion impiliring the OrgiulisiItiOnS ilbility to perform its fun&ns, Inability to provide needed services to the users, LOSSOf competitive edge due to kilkilge of c0ntidentiill informirtion. iuld Loss of credibility or embarrassment to the OrgilIliSilliOIl.

To avoid these consequences. a broad set of information security issues must he iddressed effectively and comprehensively for taking appropriate measures. The purpose of the protection service is to protect the integrity und coutidentiality of Qta itnJ ensure thut the information is available when required and only to those who are authorized and genuine user. Thus Management of protection of information resources hiis three basic components: i) ii) iii) Integrity - Safeguarding the accuracy and completeness of inform:ilion. Confidentiality - Protecting sensitive inflHlIliltillIl from il UIliuItllOriSt!d disclosure. Availability - Ensuring availability of iIllbrnlatioI1 when required.

The integrity of the information has to be cosured by providiug protection against the following: i) ii) l.lnauthorised datil IIl0dil~cilli~~~~/clcletiOIl, iulcl I.Jniluth0rised diltil creiltioIl/iIlserlion.

The txlnfidenticllity of information is aimed itt to protect information from unauthorized disclosure to individual or processes. It ensures the following: i) ii) iii) Contidentiidity Of il diltil unit ilS well ;ls specific field within diltil unit, Confidentiality of data in u connected environment, Protection from direct or indirect derivation of inforndon of from observiltion of information UdIic communicated over n network. Since inforndon is represented through dnta, information ci1I1 be derived from data in 11 number of Ways:
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Indian Standard

GUIDE FOR PROTECTION OF INFORMATION RESOURCES
1

.

SCOPE

This guide is intended to be used as a guide for policy makers, managers and employees of au organisatiim who are responsible for initiating, inqden~enting and maintaining protection of cmnputer systenisand data processed within their orgauisation. It is aimd at providing help for developing a structured illId defined process for protection of iufimnc1tiouresources mid implementing that. It is also meant to serve as a guide for identifying the r:uige of co1itrols required for most situations encountered in the context of information system. This guide is alsO beneficial iu such cases where infonuatiou Hews through network as it provides ;1framework for enabliug i11nechauisn1 for establishing mutual trust betweeti i1rg~IlisiItiOIlS which are networked partners, iInd a basis for fditiesnmnagernent hetweeu infofnmiou usersandservice providers. 2 TERMINOLOGY 2.1 Information Kesoukx - lnf~mnatiou takes ~GIII~forms. It cl111 be stored 011computer, trans1nitted across the networks, priutcd at or writmj down OII paper etc. This lufom+m Resource is defined 11s auy abed 311 inforumion, re.gafd less d fmu. 1ha1is contained in or possessed by the orgmizutiou's computer system facilities, comrnuoicalion networks. or storage media. Infonnatio1i resource may cousist 01 trade secrets, confidential docuI11ents. or other iulbrmation considered to be valuable asscls. 3 THREATS TO INFORMATION HESOLFHCES Major &eats to the infomatiou resources is due to people. belonging both from iuside or oulside the 0rg:inisatiou. Hy filr. the mosl coslly losses to informatim resources incurred by orguuisulious result from human errors, accideuts aud omissions by employees resulting in loss 01' iulegrity and coiifidentiality. In addition, there may be physical threat to infonncltion resources. 3.1 Threats to Information Integrity Integrity attack&m at defeating the niecha1~ismused to provide integrity ofinfonnutio11. Thus, they ctln be fiut under the fdlowiug ClilSSUS:

i) AltXks aimed at suborning access prevention InechaIIiSmS. Such atti1cks include:
a)

Ai1ttXkS011 the mechimism itself, b) I-`eI1elrilliOI1 of the services the mechanism reiies upon like routing control rmd access control, alid c) EXplOililtiOll of utilities with unintended side-effects.

ii) Altacks i1i1nd at defeating cryptogrilpbic lI1dlillliSmS or ilt exploiting WeilkIleSses Of SUCII mechunisms. Such i1ttXkS include :
a) I'enetriltii~n of the cryptographic
nisms like digital Gotis, and b) I)eletioII iii) signature mechnor fuuc-

illld repliciilion.

Atti1ckSi1imcd at defeating the contextmU 1nd~imis1n used. Such i1ttXks include :
a) Massive, coordinated chariges of &ta-

iK9n rCpliCilS. :md b) I'e11etri1ti(m of lht: context
lIld1illliSlll.

establishing

iv) Attacks itimed at defeating detection and iIckI1owledgeI11ent mechnnisms. Such atLICkS include: iI) b) F&t: ackI1owledgemeI1ts, and

Exploitation of filulty sequencing betweeI1 lhe acknowledgement mechanism illld the treatment of the received diltil.

v)

Attacks Ulrough Viruses imd other Malicious (`ode SUCKattacks include:
il)

Viruses : l'rogriulls which modify other
pfOgriUIlS illld reproduce ltcliI1g other pIUpriUlK
CINllCSSly,in-

b) `Worms' and "l'ro.jiIn Horses' ol'teI1 cause datlIil~tZ t0 tht: SOftWilE, ilI1d
c)

Elecuonic Hullclin ISoarJs: Although iu
gCI1eril1, they offer useful infi)rmatioIi. ;I SmiIll perceutage of bulletin bi)iudS. however. are not harmless.
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vi) Threat piUticul~U to media. include: a) b) 3.2 Threats

Such threilts

3.4 Physical Threats

to Information

Resources

Threat against the media in which information is stored, atId Thrent ugninst the media through which i11fOrIIWiOI1is triu1Sll1itttXl.
to Information Confidentiality

Fire d:muge is the most s&ficant and prevalent PhySiCill Ulreilt hlCillg diltil processing OrgilniSiltit~IlS which Cilll IWd to heavy IOSS Of information resources * . 3.4.2 Wfrler lhm,~t!

The &ent to the protected dilt;l is i\n unnuth(>rised disclosure of inf0rmi1tion enc0ded in the data or disclosure Oflhe &Hi1&uIXCteristiCs. The pdcu1it.r threat thilt exist in different environments are dlreSSed ilS following: i) Threats when c(>ntidentiality is provided through i1CCess prevention. SUCK thrt%ts include: a) h) c) Penetration of the access preventioII 11~echw~isn1,
Fktl~tri~tiOn of the integrity mech:inism USIA 10 pf0tWt CertifiCiItes,

The CoII~piKt nature ofcomputers, coupled with their high ~lt?WiCill iUld cooling kildS, IlliIkeSdiltil~prOCeSSing equipment piIrticUliUly susceptible to even the SnliUleSt iUnOUIll Of moisture.

HluckoutS. power surges iwe iUS possible sources of lOSSOf dillil. 4
LNFOl~MA'lION l'ROTECTION AN11 MECHANISMS SERVICES

Exploitation ofsystem utilities that may disclose, directly or indirectly. inlijrmation about the system, ~llid (`overt Chilnnt?l. is provided Such threi1tS Illcch-

d) ii)

I'rotection of information resources is uchieved by ensuring UK diltil integrity ilnd diltil conlidentinlity ilS iIlfOIl1lilti0Il is stored ilIld trimsmitted in the f0ITIl of Jiltil. Thus, iIlf0rI11iltiOIlprotection servicesconsist Of protection il&liIlSt integrity VilJliltiOIl imd protection il~iliIlSt confidentiality ViOliltiOllS.
4.1 Types of information I'rotrction Services

Threuts when conlidentinlity through information hiding. include:
il)

ILnelration auisni.

01'the cryptographic

Prolcction services CilIl he ClilSSilkd nccording foilowing criterh:
4.1.1 IQ rlrc i!pr

to the

b) c) d) e) 3.3 Threuts
3.3.1 Some

TrdYic imIU ySis, Analysis of protocol datn unit htdcrs, Browsing iUId eilvesdroppiIlg, C'overt chmnel.
to Informution Olwnrtim Awilahility

~~f`violtrtion

tltt!,v protect

rrjpdinst :

i) ii) iii) 4.1.2 i) ii)

l Jnauthoriscd I.lnauthorised

&It:1 modilicotion, dutn del~liou.
thy provide

ilud

I II1ilulhorised htil creilti011, il1M.l

7'lIe t!pc ofprotection

:

lmpropt~r

I'rotrction X)1' diltil Sl3IIlilIltiCS.~ilIId Protection attributes. 01' datu SCIllilI1tiCS associated
which the i@wrtr-

improper operations cilrricd out inadvertcIilly or deliberately Inay led to &uIi;tge of' computer system network (if ;ipplicahlc). or the iIIliJrIlliltilNl resource.

-.. I .3 7'lIct,spzsoftrtttrcks qtrinst tiorf is protcctetl : i)

Protection ugi1inSt extern;U i1ttIlckS. Imd

This sometimes 111ay lead to system uIIavuilahility due to lack Of IlLIiIltf3liulCt: or maintenance by incompetent agency 3.3.3 L.&c of'Prr)per lldess M&IrcntInce of'/qlirr,rI(trirrn

ii) Protection i1gaitISt internal attacks. 4.1.4 l7ie rec'ovfg
wchtrrrisr~r llrty provide

:

i) Ill CilW Of diltil corruption, ii) 111 c;iss ol' Jrlution. 4. I.5 11~the t,ylw c~/`protcctiort i)

illld

WUY towids

usystemalic procedure is tbllowed ia :I rC$JUlilI backup. inli)rmutioII nlay 11lJtbe ;lvililable wheu needcxl. 2

tlriry suplwrf

: ilIld

IYcvcI1tioIi 01'integrity compromise,

IS 14356 : 1996 ii) Detection of irltegrity compn)niise. 4.2 Types of Protection Mechanisms 4.2.1 Those which prevenl access to the medium. Such mechanisms include: i) Physicidly isoWed, noise free channels, ii) Routing control, nnd iii) Access control. 4.2.2 Those which detect unnuthorised modilicution of dntn or sequence of dilti1items, including CilSeS of data creation, data deletion und dntn replication. Such mechimisms include: i) Digital signuture, ii) Ikltn repliciltion, iii) Hashing function in conjunction with cryptographic ttallSf~~~lliltil~llS, and iv) Message sequencing. 4.2.3 Those which iue mupping techniques thut render the' information to be protected relatively inuccessible to 1111 but to those possess seine criticid information nbout the mapping techniques. Such techniques include: i) Encipherment, und ii) Ik1tn pudding. 4.2.4 Those who provide confide11tiulity lo.the daliI through different meuns : i) Confidentiality provision through protocol data u11itheader protection, and ii) Confidentiality provision through
cOntextuid 5 llXiltiOl~.

i) ii) iii) iv) v)

Adoplion
security Development

of

i111 iIlfOrnliltiOIl

resource

policy, Ulld ilnplementution system, alld protectioll Of llle iniplenlentution Stalldurds of IIIU~.~~~, illf0nniltion au of diltil

ClilSSifiCillil~ll I)evelopnlent inforn~atiol~ l'liulUillg protection Ongoing

I11iU1il~t2ll~llt and

progr:uIlmC, proteClion

progrumme

mailitenance

and cnforcenlent.

5.1 Stage1 : Adoptionof anInformation
Security Policy

Resource

?hr:orgaoisatioo's policy statement should set ground rules li)r lhe prelection of the i1lf~~rnli1tioll resources und stutt: responsibilities und account:1bilities of all concerned. `l'hc policy Should precisely Stilte the
VillUL! lo 11X orpilllisilli0ll sources tiulity iuld nerd to procure 01' d~llil. illl'i~rmilli0ll, tllrir integrity, re-

contiden-

illId ~lv~lil:lbility. tlsti11 asset protCction

III udditit)tl Ulld fixing

~to identifying

illfornlutioll illfllrm~ltillll

ll~ullal~er/el~~ployee and UCCOUI~~-

responsibility

bility. the infonnntion resource security policy stateinent should scl f0rlh inforn1alion protection progrummc priorities. Mi1nugement should set I1clear direction ~lnd denlonslrute the effectiveness of that in
tllc liicc 01` ilCCid~lllill or Jeliberille ullllutllorised

INFORMATION PROTECTION PRWRAMME

In order to n successful system for the protection of Infomution resources, it is required to phn, implci) `1'0 ensure 111~ conlidentiality, uvuilnhility ment imd muintuin i1 comprehensive infor111ation and inlc;grily 01'illl'i~rmilli0ll, protection progriunme. `lhe person or group in the ii) `l'oreduce the risk of loss of informution by organksntion with responsibility of the i11formutio11 uccidc11Ii1l or i11tenIionulmodificution, disprotection should preseut to senior IIMIiIgenleut iI closure or desrructiou, ilnd &XV view of theut.~ iuld ulteruutive solutious for iii) `To prcscrve the l~rg~lnis~ltil~ll's rights and countering those threuts So thilt UftCr currying 0Ul il rcmediCs ill lllc eve111 Of il 1OSS. risk analysis process in terms of weighing p0lClltiill losses versus the cost uud effort of limiting Ihe 7'11~ orgunisnli1~t1 will implenient the i1lfOfll1i1tiOll exposures mnnugement cun t&e uppr11priutcdcciresource security policy in SUCll il Wily US (0 : sion. i) I lold illdiVidUillSuCClNJlllilhlc: for theirusc Of The infonnntion resource security protection proOrgillliSilliOll'S ildmnalioll resources. gmmme cim be divided into the following s~agcs to i1cceSS to informution OII iI need ii) `1'1~uuthori~e have proper uuderstuudiug ol'lllc progr;u~il% help ia 10 kllow b;1si$i111d . implemeutatiou iuld ulso to meusure the progress 01 10 informution. iii) To ensure the timely i1cccSS
progrumme iInplementutiou

disclosure. 1111~difici1ti1~11 or destruction through the issue imd i111plCt11e11ti1lio11 01'i1t1orgnnisntion wide illfOllTlilliOll resource security policy. The policy should illSO SlillC the recp.Iirement to provide computer sccurily and uwiuClless trilillillg lo all its employees having access to inli1rn~ati1~1i resources to help in deriving stunditids and guidelines for implementation. The intent of this infonl1ution resource policy is 10 ilCCl~lllpliSil tllc following:

:

IS 14356 : 1996 5.2 Stage II : Development and Implementation of a Data Classit'icution System Inf&muti~~n assets must be ~lussilied ilccording to their sensitivity illld import~lllce to the Or~illliSiltiOll.
Since it is Ullreidistic the t0eXpcct 01' l~ilnilgerSillld emplOyit is 0% t0 l~~ililltilil~ ilhSOlUtt? COlltrOl over ill1 iIlf~~rlI~illi0l1

success. Tllus, the cLlilSSitiC~lti0Il hilS 10 be done Very cardully iuld identify only sensitive informittion to be
colltri~lled 5.3 under ClilSSified inf0rmUtiOn.

stage -111: Development Protection Standards Manurl

of Information

within
necessary

bOUlldilri~S t0 ildViSe them

the 0rgill~iSilti~~ll.
he brought

:
ulider

i)
ii)

What infMl~~ilti~~ll should
c011tr01. Which more types sensitive, of inforlnillion ilnd

The functions needed to provide effective protection of the information resourcesof an organisntion should be well defined. III order to fiditi~te the implementilti Of tllL!Se Fulictiolis, procedures they iUe trilnSlUtt?lJ in tHlll!i of SlillldiUliS, illld guidelines.

ill% colklered This like tht hmited ilnd milUUill shuld Cl~lltilill the defined StilIldiUliS. procedures illld guidelines eSpeCiillly tailored t0 tile specific needs of ;I l~iuticuliu orgmisntion. THIS, the Stilndillh must be derived ilnd developed from the policy stntement to meet the dediued objectives. Procedures should be worked out tOwiU& how to Ciu*y Ollt tllC ilctivities ilS Stilted in the SlillldiUdS. `l`hese procedures sl~uld be u~~iu~~biguousid shl~ld be ill hiUlnl)tly with the working environment of the ~~r~imisi~ti~~n. They sI~oIJI~I be m;~ck mill1&1t~~~. Those procedures which hilVe not R!ilClKd the level where they cull bt: mide mimdut1)ry. they Cim be treated iIS guidelines ilnd they should be ttIlC0urilged for use till they take the form of procedures. Such standurds. procedures and guidelines should be developed imd periodiciUly updoted ill defined KgllliU intervih. l`he l~illlUill is the primary colllmuniciltil~~~ to01 for

iii)

How the orgauis:1tion~would
UlMNmt Of sensitive protected. information

hiuNJll3l

52.1

A

siunplt:

of four level dcluMication

isgiven

below:

It is that Cl~SSiliCiltiOU
disclosure/use organisation tiq. proprietary COUIJ (important

of llillil Of' which uli;luthoriz~d ClluSe serious dllmagt! dcsigll to the inforniadrilWingS, etc.)

software

ii) Kcstrrcred It-is that classificulii~n of J;il;i of which unaulliorised disclosure/use would not be in the best interest ot' the orgimisntion (computer soliwarc, pcrsonnrl diltil, budget informittion. SO~C' J~~~ull~~l1tS;ll~d drilwil1gS). iii) lnrerntrl
USC
Ofdiltil thilt JIM3 IlOt require illly

spccitic inlbrmution protectiou responsibilities. The inforn~irtion protection ildllliIlisU;lt0r must l~~;dl1tilill
tk UlilllUill to pnqxly SO hilt it will he perceived illld

It is thilt ClilSSificilli0n degree of protection
COmpiuly rimdUmS, (Operating

against
procedures.

disclosure
inter-oflice

within the
memo-

with UX seriousness iuds, procetlures. imd guidelines in writlen form to illI personnel.
ilillltXd

it deserves. Stillld111uSt be distributed

telephone

directory)

I1 is hilt lion

classification Jisclosurc

Of dilli lllilt requires
(pub1ishx.l

no protccreports, 01 cquivalclit

As mentioned
wiuds protectioo StiltLYJin issue

eiUkr.

the

lnilnilg~ment resources

policy sl~o~ld

IO-

IlguillSt

lll1nu~ll

periOdicillS.

illly ilifi~ni~utiol~/doculi~eiit

which is available The man:lgemcnt to the progrumme
UO!lS process Of

in some open literature) should give scrious considcrution prior lo illlple;ii~illllli~)ti. A colitiliClilSSil'iCiltiO~~. Jeclilssilicutiotl.

be this llliU1Uill. `I`his Sl~0Uld set il cleiudirKliOn illlll dC11~011SlrUtC milllil~~lllt3lt support through the
of informntion Of this ~~rgillliSiltiOU-Wick i~~f0rnlilti0ll SeCUrity

policy.

hrbeling. storage. access, destruction uiid reproduction Of classified data and the adlllillist.rilliVc overhead this process will creute must be considered. Failure to muintitin u bulimcc bctwecn the vduc ~l'thc informiltil1u clussificd imcl the udministrntivc burden tht: clilssificati01~ SySttrlll fllilCL!S 011 LhC 0rgillliStlti0l~ will result ii1 loug-tcrlu dit'l'icultics in xhicving 3

`lbe updnte policy should also be defined in Cktilil. illclucliug respo1isihilitiesiuld review dates, for luililltilining the policy docuineii t UpdilttZd ilnd effective.

`1'0milllilgC
klti~~l1.

within the Orgilllfuuctions to be carried OUI. A well defined m;mugCment frumework iii tcl'ms of its orgillliS:lti~~ll illld responsibilities Shuld
il~li~rllUltiOl~ there iue ll1illIy mlln~1~~m~Ut

protection

IS 11356 : 1996 be establishtd to initinte,~plun imd control the implementntion of informution protection system. Sometimes, il source Ol`SIXCiilliSl'S i1dVil.X Wily IlWd IO be estnblished i111d 111ideilvitilithle wiU1in the org;1niz;1ti~n to keep UP with industry 1re11d.W11ditds ;u1d
i1SSl%SultXltS.

Infimrtrlion .\~\`SIYHlS Ikptrr7rwnr : `IIKY ill% gt!llerillly UIC CUStOlIiiUl 01' illlilflllilti0ll rcsourccs fi)r ill1 I'unctions throuphout llle OrgiuliSilli0ll iltld iucludc the
I'~~llowillg:
II

) Support Ihe ~~rgiUliS;lliOll
Sl~lllilli~lll. illforllliltioll U1ililll~IliulCL!. sccurily

ill the traiuillg. controls,

dcsigu,

iuhot11

iuld USt: Of

ilUtOUl~llCd illld llliUlUd,

TO maintain approprinte protection ofor~;ulis~rtion's
itlf0nlliltiOn SOUKt: ShJld

b) Maintain ti

sccurc'

id

sd`e

iUIi)rUdon

resources.

idI Il1iljllri1llilIllliltiOll owner.

resourc1 JSUdly IllC

systcnis cnvironmcnl,

es should be i1ccountd for i1nd ei1ch idet1tiIicd KIlilVt? il Illllllilliltl3_I

C) Mi1intnin UK integrity Al' dl security
trds. ;ulJ ;liIJ lllililltiiill
PIill)

COU-

person Who g~lleriltt!S tile illli~r1l1illioll is tile llnturill owner Of the inli~rmotio11. AS ll\iUly SlUi~ll picccs 01 infonriution art: illt~grillcd tllc VillUC01`Ulc inli~rnrution illcreilses ilud SO il higher level of rcsponsihilily for thr: prelection of U1c illtCgrilttXI illli~ll1l;ilioll is
iequired. Ibr Owner should security he ilssiglld Ill~ilSUrCS but owllcr responsibility tilr protcctioll SINNIIJ implemelltillg with

J)

Ikvelop SydClllh
llillil

all

illl`ornliltioll
Il)r proccssing

coll~illgellcy
linlcly

tl1il1 pfwidcs

rcdutichucy,

illlCIll;ltiVt' recovery

Cilpilbilily.

illld

illSUrilllCt!

ilgilillSl

IOSS 01' iUli~rlllilli0ll

rcsourccs.

which may be &legilItsd
rCmi1ill tioll UlC lll~lllillillUlI
lI%lM.UWS.

~l~~~l1ltltd~ility

of the illl'0rlllilli0U

Mimngcment itt iUI ICVCIS of thC (XgillliSilfor it. Specilic responsihilitics iU% dl?tidCXl belOW:
iUe respousible

/rrrc*r-mrl Arrr/i/irr:< : They arc rcSpooSihlc li)r c\jillU;IIillg coillrols. or proccdurcs ill13 lcsling 4X~lllpliiUlCC will1 security politics, SliIildiUllS ;Uld procedures ilIlJ lor reporting to lllill~il~CIl~Clll tI1C illk!~UiKy Ol'security
controls over illli~rUlilli0ll rcsourccs.

Senior Mrtntr~~emn/
f0rt%tilhliSllillg security Iilllowillg:
il )

: l`llcy

ilR prilllarily

rcspousihlc rchource tIlC

illld Illililllilillillg

iUlilrmilliOll

with

their

hlUCtillllill

iUL'i1 tllilt illcludc

I:or idl~rillp 10 IllC dcl'itkd pr~licies StillllJiUdS illld proccdurcs wl1ich iUC derived I'rolll ptrlicics musl he in1l~lcn1~rital. `I`ilCSC SliUlcl~UllS iUllI prwedurcs UlUSt 1% cnli~rccd in il S)NClllilliC Wily in Ult! 0rpiUlisUtir)U. l+r this i111plcn1~ol;rti~,o plillt IlilS IO hC drilWl1 CiUl?fUlly cunsidcring UK prcv;iiling prxticrs illlll cnvironl~OrlllilI procdurc li)r pcrmilting JCVii1liOll I'rom UICdclincd sliu1ditrds should UlSO k worked t)ut. `Hit: course: d action in cast of idcntilied breach 01 procedure sI~ouIJills0 bc dclincd. Noncon1plinncc or violalion 01' U1c dclincd policy i1iN.I sland;ud shc)uld result in iII\ilCtiOl1 which SllOUld he signilic;ul~ ellollgh IO scrvc iIs i1 delcrrcnt. `lb~y Inay include. but not liniitsd lo suspension lrrlllilli~li0l~, othcrr Uisoiplirliuy xtioo or civil ;uid/or Crimi11iU prosecution.
lllellt.

Evuluuting corporate im&menting controls, Authorizing
il1f~Xl11i1tiOll.

infor111ation WIJ i1cCcss to

b)

1111individual's

C)

I'rolllptly removing lcls of disgrunllcd employees from system,

J)

(iunrding

ilgilillSt

UUlilWf~Ul ilC~IUiSilioi1
illld

or

USt: 0l' illlbrm;ltioll,
e)

Providing iI buCk_ul~systc111i111d lmlillthlill:: OI~crilliOUs.

flUl(l policies,

Ustxs : Tllt!y iUt2 responsible ti)r ildllurillg
StilUdiUdS iuld procedures Ulihl iucludc

v 1 ~1ctrsrtI.c.~ jirr user Awweness
to ill1 IIlC

`I'0 ensure
protrclioo support

lllilt

users x-c ilWiUC 01' sccurily

UlrCilLSlO tU

followillg: it) Mtlitltilit1illg collfidelltinlity

01' itlliMIllillioll tllc policy

itSSetS iUIJ iKt' quipped

ol'iufo!`t11ntiol1, 01' security
to

b)
c)

Maintuining
Keportillg lniulilgL!Il1tXll,

conI'idcntiulity
suspcctcd iUllI or

COUlrOlS illld pilSSWOrlIS, ViOliltiOUS

lid out in the ~~rg;1nisi1ti~~t1 in this rcgiud, user 111ustbe trninecl and i1wiuL' oI'. I lscrs SIIOUIJ bc given id<luute dudon iullI lt'Chl1iCiUlrili11inp in this rcgiud. 7`0 minimize the lliul1il~C IiOlll scarily incidcnls. ll1illl~llClil~llS aS Well iIS I0 monilor illld ILYlrll fioo~ SUCll incideals. hlciderlts
illId procdurcs

d)

Executing ;~urccmcnt. h

il c~~UI'idClltiillily

owllcrsllip

d'l~~ling sccurily 111us1 ~bc roportcd Uirougl1 tl1v correct ~h;~nncl as quickly i1s possible.
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Access Corurol M~~c~urre.c
ii) (

Access c~nlr~l Ill~USlJ~~S LLTethe U~ost ef'ft?~livc: WiIyS Of ensuring integrity and C0Ufidt!lltiillily 01' ;ui idorma'tion SOUKC. AS mart: and marl iUli)rU\ntiot~ iac qetworked, access control at the conqmx Icvd, network level. application level, user l&l and hr outside usermre discussed.

`onlrol user ilCCL!SSLOJillil iltld ilppliCilliOll
I'uoclions. bushess prolectiou utility in ilCCl)rlliUlCC with il ;tCCCss control from SoliwiUC policy. UUilUll~0ris&J tht is CiIl~Uble Controls.

SySlClU cldiod b) I'rovitlc ofovcrriding illld c)

KCCSS for;Uly

sySlclll0rilppliCiltiOll

NoI compromise
sysl~iiis ilK willi

the security

of other

TO prevent umuthorised cotaputcr ;KCCSS. ilcccSs IO computer facility should he controlled. Access IO computer facilities needs to be restriclcd lo ilUlhOrised users. (`oniputrr fitcililies which serve multiplr user should be capable of:
il) Identifying ilId verifying the identily ot CilCll iNltl~0Ikd

which informatioo resources

ShiUd
riiiglil rquirc: For dCdiCilltXl this: sysims or iSOliltCd

Scllsilivc conlpuliog ;L)

syslcllls

coviroumenl. l'hc scnsitivily

01' iUi npplicatioii

user, b)
.

h) c)

Providing a password n~iuiagen~eni syslem which ensures quality pilSSWORlS, :uiJ Restriction of conneclion limes IO provide uddiIi(mill security for high risk itpplici~Iil)n.
Access Gtnrrul

should be explicitly idcntilied und documtrnt~d by Ihc applicution owner, and When iI sensitive itppliciUn is to run in it shred environmoiI. Ihe ill~pliCiltilNl syskllls with which it will sh;UL resources should be iilenlificil iinil ilglXXtl with owner of Ihe
sensitive ;lppliCiltiOll.

ii)

Newark

TO protect informntiou iIvitili~bl~ OII Ihc neIwork. connections to networked services should hc conIrolled. These controls should ensuit\ Ihitt ct~uncc~cd users or computer services do not coniproniisc Ihe Security of any other network services. ( `ontrols should include: a) h) C) Appropriate services. inIerfuces between y&worked li)r

`I`0 prevci~l,

UililUlh0lkCJ

conlpukr

ilCCc'SS. ilCCCSS t0

iii llil~il Sll0Uli~ bc conirollcd 011 the hais ofrequirciilculs. `t?~r~should bc fIHIllill procedures I0 CoIU0l iIlllKXlilNlS Of ilCCCSS rights 10 infornliilioli rcsourccs. `flit procedures should cover ill1 st;lgcs ia lllc lil'c Cycle of user ilCCt?SS from the illiliill
~0llli~~llcr~~r\`iCCS ofucw users lo lhc lixniid dc-repistriilion ol'uscrs who I10 longer require ilCCc'SS 10 illliml~illi0ll rc'sourccs. Sphill illlClllil~ll ShOUlcl be given, where ;l~~~~ll~pi`iill~, IO lk IlWd to control IhC illllKXliMl Of privilcgcd iic'c'csh riglils which illlOW users Ioovcrridc regislrillii~ll

Appropriate authcnticatiou mecluuiisms remott: users and equipmenl. iuid C'ontrol of user ilClXSS services.
lo

inforninlion

Networks m;ly require to be divided inIo scpiuittc domains to f;lciliIi~te belter ~ontn)l und be proIecIcd by iI defined security perimeter (sometimes referral to as u fire wull) or it aetwork gateway. ACWSS between domuins cun thus be conlrolled by security giltt?Wily incorp0riltillg il~~lI@iilltJ routine illld COIInection cnpnbility conlrols. The criteria for segreg;ltion of networks inro domnins should he bused ou Orgil~iSiltiOll'S ilCCt!SS COUUOl policy iUltl recluirements. iii).
Appliccrtion Ac~.y.ss Gtnlnrl

syslcm conlrols. II1 Iliis conneciion. Iht: illl~KXlil~ll of user password shitild be securely controlled nntl ;lCCesSrighls siliwltl hc rcviewcd ill X~UliU illttXVillS.

`T'k ilCCCSS IO the iUlbrU~illi0U

by Ihird IXu'ty users IUily present it sccuriIy risk. Whcrc thcrc isi1 genuine need for &h iu1 ilCCeSS,il risk ;ln;llysis ~h~~ltl be cimicd 0uI IO dclcrnrine lhc implemclil~ilioII of co~rlrol rcquircmenh Ct)llll2Cl ~Ultl

`l`hc cowol

apr&il Upoll

sl~ultl be dclincd willi lllc lliird pilrly.

in il

To prevent unuulliorised ucccss to inl'ormution held in &mputer systems. Access LOupplici~tion sys~cms iuld data may require to be controlled through logicid access COlltrOlS. LOgiCill access to computer SOftWill% md data should be resuictcd lo aulhorised users.

SoIlrc iotcgrity

ilJlliliOllill ;UIJ

111CiISUI'CS rcquircd are

for

ctisuriilg

Ctdidc~~ti~~li~y

discussed

below

which Cilll IimU piUl Of Ilk! SlillldiUllS

illld procedures.

IS 14356 : 1996 updating of opcratioual program through nominated persons ilhC, holdinp dy executable code-~n the
OpCriltiOIlill sysleIna1k.l Ilot the sourcecode, IUilint;linprOgriUlL t'0f

Mnn;lgers WIN> WZ responsible for ilppliCiltioI1 SYSterns iUe also responsible for the security Of Ule project Or support environment. They should ensure thnt (111 proposed ehiuiges iue formully reviewed imd they do not compromise the security of either the system or operating environment. It should ilk0 1x2 ensured thidtSUppOrt programs XC giVCU ikX%SS Only to @St? PitiS 0ft.k SyStCltl thi1tiUeIlCceSSilfy for their work. In addition to ensure correct version of oppliCiltiOIl ilId system prOgriUnS. ilCOntigl.lriitiOn Illiulil~Cr should be identified. Similarly, the hilI$WXe sh0uld ills0 be under strict configuration control. These chunges must go through the formal procedure for approval.

ing audit log of all updates to operatiunal
ilIllJ retaininp preVious versions

01` SOt'tWilX

conliugeucies.

This is to prevent loss, modification or misuse Of&tu during exchanges of dnta and software between organisations. Exchimges of data and software between organisations should be curried out based on formal agreement. Procedures ilud stundards tomprotect~media in transit should be established. (.`onsideration should be given to the security impliciltions associated with various forms of infornialioo exchanges like electronic mail, file tramsfers, etc, and the requirements for security controls. Clear pohcies are required to control the security risks ilssociiltecl with electronic oftice systems prevalent these days. iii) Network Cmtrol To ensure the protection of information in networks, the security of computer networks should be implemented. Network munugers should eusure that appropriate controls are est;iblisbed thr security Of'datil in networks imclthe protection of co~mxted services from uI~ilutll0riSfXl ilCCeSS.

For highly security~sensitive information, added protectioa io ndditioo to access contrd can be provided by I11ilppiIlg techuiqucs Lhilt render the information to be protected relatively inaccessible to ~111 but those who ~posscss some criticnl inf0rmalion about the IUilppi@<. `1k.y XC ilCl~it!V~cl through encipherment ol'iali~nnotio~t. `l'hisis based OII either symmetric or nsynunc~ric cnciphcnnent. III symmetric same key is used li)r encipher ilIld decipher whrrras in ilSyUlll~Ctric case, public key is used to encipher but corresponding private key is usd to decipher them.

`I'0 s~ltgu~d

the inlegrity of sottwarc and data. precautions arc rcquircd to prevent the iutrduction 01'malicious soltwa.rr. (`omputcr SOftWiUt? is vulnerable to u~~~wthorised mdil'ic;lti~~~~. some 01' the tcchniqucs used li)r this purpose include computer viruses. network worms, `l`IX!jilll horses and logic bombs. la pahxhr, precaution sh~ld be takeI1 to
detect and preVeIit computer viruses 011 personal computers.

ii) Protection drrring Meditr Htrndling
1'0 prrvcut Jamage to
iuli~rmiltkm assets ilIld interruptiou to business activities, computer media should be controlled iu)d physidly protected. There should be dell laid out procedures especially for manageIneIlt ol`ren~~vablecomputer mediii, and for h:mdling sensitive diltil. 111 ildditkm, SyStCIll diKUIl~~ntiltiO~l which may COIltiliIl descriptiou of ilppliC:ltion processes, procedures, data structures, and auth0risilti011 process, should be protected from unauthorised ilCCtXS.

TO prevent loss. mdifici~tiou or misuse of user dilta in application systems, the design and operiition should conform Losecurity requirements needed to protect information resources. These should include input data validation to ensure that it is correct iuld appropriate. periodic review of contents of key lields or data files to confirm their integrity, internal processing vnlidntioa to detect pmcessing error or ilIly deliberate act for highly seusitive data. IUCSSilgC authentication for application involving the transmission of sensitive data. In addition which are desirable to be exercised to minimise the risk ot corruption of application syslems mily iucludc

iii) Computer Eqrfipmenl Security
Equipmenl's and tClecoIllIlluniciltio~~ cabling which iUe used for inli)nn;~tir)nprocessing should be plrtced in such ;i way lhat it is free from risks of damage. inttderencc ilIld unautltorised access. (.`are shuld ntso be tilktl such tililt it is protected tiom power liiilures aud other clcclrical ilIlOIllilli~S.

7
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iv) Yhysicul Security Care should be taken to see that uunecessary access

to the equipment neediug security should be miuimised to facilitate its physi&l protection. Special care should be takeu to see that it is well protected from tire, dust, water, smoke, heat, vibration etc, as well as interference. v) House Keeping Maintenance
in terms

qf Buck up cd

To maiutaiu the integrity aud availability of information resources, housekeepiug measures are required. Routine procedures should be established for taking back up copies of data. logging eveuts and faults and wheu appropriate, mouitoring the equipment environment. 5.4 Stage IV : Planning for the Management of
Information Protection

The economic assessment is used to examine the potential lossexpectancy,given various threat executicill scenario. Since it is not possible to have a risk free environment risks have to be managed. Based on the potential impact and probability of a risk, a prioritisation should be carried out to determine which threats to be controlled and managed. Risks are managed by developing and implementing countermeasure applications against each ideutilied risk. These countermeasures are designed to support information security objectives in three differeut capacities, which include: i) Prevention meCllilIlisIll ii) 1)elt:clion Ulf3AlilIliSnl
iii) (.`orrecliou IuKlliUliSU~

After planning for the countermeasures. the residual risks art: analysed to find out whether they art: at the aCCeptableICVeI. Having identified all the planned counrermeasures, further planning is carried out to ensure that for each of the countermeasure required, resources are made available in term of manpower, money, equipment iuld required iIlfrils~ucture.
hllplClIleIltilti0Il iscitrried out iKCOrdiIlglo the eiudier defined pliul. However. there is il Ilt33.l for COIlStilnt monitwing iuld Control of all the activities identified

For plamiing of protection of an information resources, a comprehensive risk aualysis is carried out. Any risk can be defiued as a resultant value derived from mapping of perceived and known threats against perceived a&known vulnerability of the information system. Towards carrying out the risk anal$is, it is necessary to take into account the value of the informatiou in terms of its integrity, mission support and continuity. For this it is important that three types of iuformatiou assets namely value of the actual information, value of the hardware and software components aud value of the services to be provided are knoWI1. These three types of information assets should be evaluated aud assessed based on three criteria of confideutiality, integrity and availability. To assess the value of the confidentiality of an specific information asset, it is estimated to find what an organisation will pay directly or indirectly for information or legal damage the organisation may experieuce if information found its way into wrong hands. Siuce integrity refers to those services iequired to ensure that information is accurate, complete and authentic )yheu it is processed and stored. Thus the valueof iiltegrity refers to those costs which au orgauisation will pay directly or indirectly due to loss of auy of the above said attribute. Availability cau be valued by assessing the impact of having a service, information source or a data file ceasing to exist. This cau be seen either due to total loss or a temporary loss over a period of time. Having assessed the value, identification of possible threats are carried out to assess the risk due to each possible threat knowing its possibility of occurrence.

in the plm. This is helpful to make required changes in the pliul ilIld to ensure il successful iIlfOMliltiOIl
pmeclion

prOgriullIIl~. Protection

5.5 stage v: Ongoing Information Programme and its Maintenance

There is a need to monitor and assess effectiveness of the existing iIlf0IllliltiOIl protection pr0grilUlIll~ via
iIlterIlil1or CXtefllill ilUdit procedures to see its effec-

tiveness. The eoforcing~lllechnnism for the standiuds and procedures shoultl also be well worked out. K~gllIilr UpdiltC of infonnalion resource security progriunule is required kilUSe Of the rilpidly ClIiInging data prncrssiug uleIItS. and iIIfonIIatioII security environ-

The mechanisms of getting the feedback imd update process of the standards manual should be clearly defined. There should be a well identified source in the organisati(>n who can be contacted in CilSB of ilny clarification on the policy or implementation issues. I.lSUillly he is the chief of inf0nniltion
syslrm.

An effective information protection requires a high b/d ~f'i~Waue~t+SS of all involved. For this selfassessment helps to a large extent. For self-assessIkltNl t0 achieve il higher degree of IIlilIlilgtXS

3WiUe-
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ness, it is recommended tllilt ill1 IlXlIXlgW4 periodiCally complete iI short self-assessment objecti w ~WStionnuire to imswer questions ilb<)ut the information protection within their iUeiI of control. ApiNt from iISSC%sment of the effectiveness of the in'oruintion

protcctiou programme, ilIlSW~fiI~g them will increike iuf~~rmation protection ilWiWtXIeSs becuuse mimigers will hve to auswer objectively. AS exposures iuX identified, actions required to ddreSs vulnerilbility ciiu he documented ilIld committed for ctn-rection.

(Continued from second cover) 4 By understanding the semantic of data itself (from the value of the data).

b) c)

Ry using associated attributes of the clntil lo permit infeting (for eXiUllpk size, dylXUlliC variation like date of hst upditte, etc). itnd Hy cousideriug coutext of3he data that is other data objects that are associated with it (from knowiug where the data exist).

Avtilahility of iuformatiou is aimed at protectiou from the followiug: i) ii) iii) Physical destruction of equipmeut or uetwork segment, Inopembility of equipment or network due to equipment mitifuuctiou, softw;ue failure, or s&Huge, *and Degruhio~~ of performance from system srtturation, link or bit error rate.

The information protection system should comprehensively ensure the security against all the above possibilities. After introducing to the issues involved, this document is aimed at providing a guideliue to implemeut a comprehensive informatiou protection system spread out in differeot stages to facilitate its implementation. Ii also provides for the flexibility for implementation needed for different organisations dependiug on their size, working methods aud existiug environmeut. To that extent the guideline has been delibemtely kept generic in nature.

